Australian telco sector looking down the barrel of a prescribed security standard
The Department of Home Affairs has brushed aside industry concerns that the Security of Critical Infrastructure Act (SoCI Act) duplicates obligations found in the Telecommunications Sector Security Reforms (TSSR).
As far as the department is concerned, rather than overlapping regimes, there would be “one continuum” of regulation where the Telecommunications Act is paramount, but parts of the SoCI Act would be “activated” to fill in gaps.
“The explanatory memorandum for the Security of Critical Infrastructure Act amendments very clearly states that, where primary legislation exists that regulates the activities of a critical infrastructure sector, that primary legislation remains operant,” Home Affairs deputy secretary for national resilience and cybersecurity Marc Ablong told the Parliamentary Joint Committee on Intelligence and Security on Thursday.
“To the degree that we need to look at amendments to that act — minor in nature — to ensure that it is consistent with the positive security obligations that are set out in the [SoCI] Bill, we would do that to the Telco Act.”
Two such gaps in the Telco Act that Ablong identified were the ability of government to assist companies facing a significant cyber attack and the enhanced cybersecurity obligations.
“We don’t consider them to be rival regulatory regimes but parts of the one continuum that starts with companies very much recognising that they have a unique position as telcos. To the degree that the existing regulatory regime set out in part 14 can suffice, it will suffice,” he said.
“To the degree that it can’t suffice, that’s when the Security of Critical Infrastructure Act amendments will apply. But we don’t intend this to come as any surprise to the industry.”
One area where the TSSR is ambiguous is its requirement for carriage service providers to “do their best” to protect telecommunication networks and facilities, and both telcos and the department believe it needs clarification.
“We’d suggest that a higher standard than just doing your best might be required,” Ablong said. “To the degree that the language in the TSSR says, ‘Do your best,’ we might replace it with, ‘You are required to meet standard X,’ whatever the standard is that we and the industry come to a common view on in the co-design process.”
How the positive security obligation looks for each sector will be a co-design process with industry of looking at primary legislation and working out what needs to be added, the deputy secretary said.
“The obligation for the telco sector would be different to that for the banking sector, for instance,” Ablong said.
“The process of co-designing with industry and providing them with information about, ‘Here are the threats we think your industry will face over the foreseeable future; this is where we think your primary legislation requires you, or obliges you, to meet a certain security requirement; and this is what more we think you could add to your ability to meet an obligation under the Critical Infrastructure Act,’ is very much a co-design process.”
In the end, Ablong said the solution could be to replace the “Do their best” wording with a standard, whether it is the Essential Eight from the ACSC, or a standard from NIST or the UK’s National Cyber Security Centre.
“Ultimately, in the conversations that we have been having with industry … the first question is: To what standard do you hold yourself as an industry? Then you would ask: What are the measures that you’re using to assure yourself that, against the risks which we’ve talked about, you are able to deal with those risks?,” he said.
“If somebody says to me, ‘I use the NIST standards’ and another industry says, ‘I use the NCSC standards from the UK’, both of those are suitably robust that, for most intents and purposes, we would probably say, ‘That’s good enough’.”
Earlier in the day, Telstra and Optus raised concerns that the Critical Infrastructure Centre needed to provide more proactive advice to telcos, rather than just responding to alerts from telcos when changes to services, systems, or equipment could have a “material adverse effect” on their ability to meet TSSR obligations.
“Currently we get really good and detailed advice, but it has to be triggered by us putting in a notification or providing a briefing, and then that advice will come back,” Telstra national cybersecurity principal Jennifer Stockwell said.
“It will be very detailed and will help us to understand the risk for that particular project, but it would be very helpful to have more upfront, because then, when I’m working day to day with our network engineers and operational staff, I can provide them with the guardrails to start with, and that really helps decision-making and speeds up projects.”
In December, Optus revealed it was responsible for over half of TSSR notifications.
“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said at the time.
“The time for the resolution of these notifications has varied between 30 days to eight months.”
On Thursday, Telstra regulatory principal John Laughlin said Australia’s largest telco took a different approach.
“We have deliberately taken an approach where we notify on mitigated risk,” he said.
“We only lodge a notification after all the systems and controls are in place, where we still believe that there’s a material adverse effect to our ability to meet the security obligation.”
Stockwell added that Telstra only notifies on the end solution.
“The unmitigated risk is a risk that is not going to be realised, provided we have the adequate mitigating controls in place,” she said.
“It’s really important to mention that early engagement with the critical infrastructure centre and the ability to have that early engagement is critical to inform those controls so that we put all the appropriate mitigations in place, taking into account the full understanding of the threat landscape.”
Whether through bad preparation or obfuscation, Laughlin was unable to provide the committee with the number of notifications Telstra had provided, except to say it was “substantially less” than Optus.
The differences in notification thresholds is one of the reasons Home Affairs wants to have a “conversation” with telcos in the co-design phase to see if the government and private sector have different views on risk.
“If they have been thinking about it purely from the perspective of, for instance, somebody’s ability to cut the trunk cables and therefore their inability to provide a service to a portion of Australia, we would be equally concerned about the ability of somebody to hack in or intercept communications carried over their networks, but if they don’t consider that to be a material risk, then they’re not going to notify us or report about those sorts of things,” Ablong said.
The deputy secretary added the Critical Infrastructure Bill was necessary in light of the recent Colonial Pipeline incident.
“The critical infrastructure amendments … very much cover what is required in order for Australia to have greater assurance that the sorts of things that we saw with the Colonial Pipeline, for instance, in the United States are less likely to happen here, that we have taken all necessary measures to protect our critical infrastructure and for the entities involved in those sectors of the economy that might be considered critical infrastructure to have protected themselves.”
On the other side of the fence is the Communications Alliance, which has put forward a proposal to either repeal the TSSR notification obligations or exempt telcos that fall under the Critical Infrastructure Bill.
“We would very much prefer the certainty that comes with repealing provisions that could create duplication, as opposed to relying on the goodwill and best endeavours of agencies over time to avoid that through positive decisions of their own,” Comms Alliance CEO John Stanton said.
“Time moves on, people move on, and it would be preferable from our point of view if the requirements and obligations were clear and in legislation rather than subject to executive decision-making.”